b' FEDERAL INFORMATION SECURITY\n    MANAGEMENT ACT REPORT\n\n\nFiscal Year 2007 Evaluation of the Social Security\n      Administration\'s Compliance with the\n Federal Information Security Management Act\n\n\n\n\n            September 2007       A-14-07-17101\n\n\n        Patrick P. O\xe2\x80\x99Carroll, Jr. \xe2\x80\x93 Inspector General\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                                SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      September 24, 2007                                                                  Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Fiscal Year 2007 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n           Federal Information Security Management Act (A-14-07-17101)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           overall security program and practices complied with the requirements of the Federal\n           Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2007. 1\n\n           BACKGROUND\n           FISMA provides the framework for securing the Federal Government\xe2\x80\x99s information\n           technology (IT). All agencies must implement the requirements of FISMA and report\n           annually to the Office of Management and Budget (OMB) and Congress on the\n           effectiveness of their security programs. FISMA requires each agency to develop,\n           document and implement an agencywide information security program. 2\n\n           OMB uses information reported pursuant to FISMA to evaluate agency-specific and\n           governmentwide security performance, develop the annual security report to Congress,\n           and assist in improving and maintaining adequate agency security performance. OMB\n           issued FY 2007 FISMA guidance (FISMA guidance) on July 25, 2007. 3 This guidance\n           references and incorporates the requirements4 of OMB Memoranda M-06-15 5 and\n           M-06-19. 6 For additional information, see Appendix C.\n\n\n           1\n               Pub. L. No. 107-347, Title III, Section 301.\n           2\n               Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544 (b), 44 U.S.C. \xc2\xa7 3544 (b).\n           3\n            OMB Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information Security\n           Management Act and Agency Privacy Management, July 25, 2007.\n           4\n               OMB M-07-19 supra at pages 33-34.\n           5\n               OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006.\n           6\n             OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\n           Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006.\n\x0cPage 2 - The Commissioner\n\nSCOPE AND METHODOLOGY\nFISMA directs each agency\xe2\x80\x99s Office of Inspector General (OIG) to perform an annual,\nindependent evaluation of the effectiveness of the agency\xe2\x80\x99s information security\nprogram and practices. 7 SSA\xe2\x80\x99s OIG contracted with PricewaterhouseCoopers, LLP\n(PwC) to audit SSA\xe2\x80\x99s FY 2007 financial statements. 8 Because of the extensive internal\ncontrol system review work that is completed as part of that audit, the OIG FISMA\nrequirements were incorporated into the PwC financial statement audit contract. This\nevaluation included reviews of SSA\xe2\x80\x99s mission critical sensitive systems as described in\nthe Government Accountability Office\xe2\x80\x99s Federal Information System Controls Audit\nManual (FISCAM). PwC performed an \xe2\x80\x9cagreed-upon procedures\xe2\x80\x9d engagement using\nFISMA, OMB, the National Institute of Standards and Technology (NIST) guidance,\nFISCAM, and other relevant security laws and regulations as a framework to complete\nthe required OIG review of SSA\xe2\x80\x99s information security program and its sensitive\nsystems. 9 See Appendix D for more details on our Scope and Methodology.\n\nSUMMARY OF RESULTS\nBased on the results of the OIG\xe2\x80\x99s and PwC\xe2\x80\x99s audit work, we determined that SSA\nsubstantially met the FISMA requirements for FY 2007. SSA continues to work towards\nmaintaining a secure environment for its information and systems and has made\nimprovements over the past year to further strengthen its compliance with FISMA. For\nexample, SSA continues to have sound remediation, certification and accreditation, and\ninventory processes. In FY 2007, SSA completed an inventory of all systems and\nsubsystems. The SSA systems inventory consisted of 20 major systems as well as\nover 300 subsystems. Our review found the FY 2007 inventory is accurate and\ncomplete.\n\nSSA also maintained Certifications and Accreditations (C&A) for all 20 major systems\nand conducted recertifications of 12 major systems using NIST Special Publication\n800-37 guidance. 10 We reviewed all 20 C&As for the major systems and they were\nsubstantially compliant with NIST 800-37. See Appendix E for the complete list of major\nsystems that were certified and accredited in FY 2007.\n\n\n\n\n7\n    Pub. L. No. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3545 (b)(1).\n8\n OIG Contract Number GS-23F-0165N, dated March 16, 2001. FY 2007 option was exercised on\nNovember 30, 2006.\n9\n OMB Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, July 25, 2007.\n10\n   NIST Special Publications 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems, May 2004.\n\x0cPage 3 - The Commissioner\n\nWe noted several areas that would enhance security of SSA\xe2\x80\x99s systems and sensitive\ninformation. SSA should ensure:\n\n\xe2\x80\xa2     controls to protect personally identifiable information (PII) are fully developed and\n      implemented in accordance with OMB guidance;\n\xe2\x80\xa2     adequate incident response and reporting policies and procedures are implemented\n      agencywide;\n\xe2\x80\xa2     system access controls are fully implemented to meet least privilege criteria for all\n      users of SSA\xe2\x80\x99s systems;\n\xe2\x80\xa2     all contractor personnel receive annual security awareness;\n\xe2\x80\xa2     all employees and contractor personnel with significant IT security responsibilities\n      should receive specialized training; and\n\xe2\x80\xa2     the Privacy Impact Assessment (PIA) process appropriately addresses privacy and\n      PII protection issues.\n\nSSA\xe2\x80\x99S EFFORTS TO PROTECT PERSONALLY IDENTIFIABLE INFORMATION\n\nIn May 2007, OMB issued Memorandum M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information, 11 to further address\nGovernment efforts to protect PII. The FISMA guidance 12 requires agencies to include\nthe following plans required by M-07-16 as an appendix to their annual FISMA report:\n\n\xe2\x80\xa2     breach notification policy;\n\xe2\x80\xa2     implementation plan to eliminate unnecessary use of Social Security Numbers\n      (SSN);\n\xe2\x80\xa2     implementation plan and progress update on review and reduction of holdings of PII;\n      and\n\xe2\x80\xa2     policy outlining rules of behavior and identifying consequences and corrective\n      actions available for failure to follow these rules.\n\nSSA has taken numerous steps to address OMB guidance on PII. In September 2006,\nthe Agency released, Policy and Procedures for All SSA Employees for Reporting the\nLoss or Suspected Loss of Personally Identifiable Information. 13 This policy requires\nthe reporting of incidents involving the loss or potential loss of PII within 1 hour of\ndiscovery. In March 2007, the Agency issued procedures on safeguarding PII while in\ntransit or outside of secure SSA space. In August 2007, SSA issued the Agency\xe2\x80\x99s Draft\nSSA Breach Notification Policy for comments. SSA is also working to eliminate\n11\n  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information, May 22, 2007.\n12\n     OMB M-07-19, supra at cover page.\n13\n   Information Systems Security Handbook (ISSH), Appendix V,\nhttp://eis.ba.ssa.gov/ssasso/incidentrptg.htm.\n\x0cPage 4 - The Commissioner\n\nunnecessary use of the SSN and to reduce holdings of PII. The Agency has a policy\noutlining rules of behavior, 14 but needs to improve Agencywide procedures to ensure\nbetter identification of violations and corrective actions. Stronger procedures will likely\nresult in more consistent and appropriate handling of violations and improve the\neffectiveness of the rules of behavior as a deterrent for inappropriate activity.\n\nThe Agency has also established workgroups, a PII Executive Steering Committee,\nwhich provides oversight and recommendations on SSA policy, and the PII Breach\nResponse Group whose role is to engage in Agency planning in the event a breach\noccurs. SSA has not included the OIG in its data breach core management group as\nrecommended by OMB. 15 By including the OIG in this group, SSA will be better able to\nrespond to data losses and fully comply with OMB requirements.\n\nWhile developing its plan to reduce unnecessary use of SSNs, as required by OMB, 16\nSSA should take into consideration a cross section of potential SSN uses. For\nexample, SSA should consider information currently sent to Disability Determination\nServices (DDS) contractors providing services to beneficiaries and ensure that\ncontractors are only receiving information that they need to know. Additionally, SSA\nshould also review information contained in the Death Master File and determine what\nhappens when individuals are erroneously reported as deceased. SSA should ensure\nthat these types of situations are addressed in its plan to reduce the unnecessary use of\nSSNs.\n\nAs SSA strives to safeguard the PII in its possession, it needs to continue to assess and\nenhance policies and procedures such as those identifying consequences and\ncorrective actions available for failure to follow the rules of behavior.\n\nIMPLEMENTATION OF INCIDENT RESPONSE POLICIES AND PROCEDURES\n\nFISMA requires Federal agencies to develop, document, and implement an agencywide\ninformation security program that includes procedures for detecting, reporting, and\nresponding to security incidents. 17 SSA follows documented policies and procedures\nfor reporting cyber and physical incidents internally. The Agency\xe2\x80\x99s ISSH Security\nIncident Identification, Reporting, and Resolution, contains the documented cyber\nincident\n\n\n\n\n14\n ISSH, Rules of Behavior for Users and Managers of SSA\'s Automated Information Resources,\nMarch 23, 2001.\n15\n  OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification,\nSeptember 20, 2006, page 2.\n16\n     OMB M-07-16, supra at page 7.\n\n17\n     44 U.S.C. \xc2\xa7 3544(b) and (b)(7).\n\x0cPage 5 - The Commissioner\n\nreporting policies and procedures. 18 For the physical incidents, SSA\xe2\x80\x99s Automated\nInformation Management System contains internal reporting policies and procedures for\nphysical security incidents. 19\n\nSSA also has documented policies and procedures for reporting physical and cyber\nincidents to law enforcement authorities. SSA\xe2\x80\x99s Intrusion Protection Team has policies\nand procedures for reporting incidents to law enforcement authorities. These policies\nand procedures meet FISMA requirements by having the Agency send appropriate\ncases to SSA\xe2\x80\x99s OIG. However we observed in our Incident Response and Reporting\nreview, 20 that the Agency did not consistently notify OIG\xe2\x80\x99s Office of Investigations (OI)\nwhen security incidents occurred. The OI could have assisted in the preservation of\nelectronic evidence and potentially pursued issues for further investigation. The Agency\nsubsequently informed us that its components will do their utmost to provide all\nincidents to OI. We look forward to this revised procedure and will work with the\nAgency to ensure that all incidents are forwarded to OI. OI\xe2\x80\x99s Electronic Crimes Team\nalso has policies and procedures for reporting cyber incidents to other law enforcement\nauthorities, if necessary. The Agency has policies and procedures contained in the\nISSH for reporting physical incidents to law enforcement.\n\nSSA has documented policies and procedures for reporting internally and to law\nenforcement. However, the Agency needs to clarify and fully implement its written\nprocedures for reporting security incidents to US-CERT. As noted in our Incident\nResponse and Reporting review, 21 SSA also needs to properly categorize and report\ncomputer-related security incidents in accordance with NIST and US-CERT criteria.\nUS-CERT coordinates information received from all Federal agencies to defend the\nFederal Government against and respond to cyber attacks. By providing US-CERT with\nall appropriate information, US-CERT\xe2\x80\x99s efforts to protect the Federal Government will be\nenhanced. The Agency needs to ensure that the formal written procedures are fully\ndisseminated and implemented consistently with its policy so all appropriate incidents\nare provided to US-CERT.\n\n\n\n\n18\n     ISSH, Chapter 7, Security Incident Identification, Reporting and Resolution, November 15, 2006.\n19\n  Administrative Instructions Manual System, General Administration Manual, Chapter 12, Instruction\nNumber 07, Incident Alert Reporting, June 19, 2006.\n20\n  OIG Report, The Social Security Administration\xe2\x80\x99s Incident Response and Reporting System\n(A-14-07-17070), pp. 9, 10, August 3, 2007.\n21\n     OIG Report A-14-07-17070, supra at p.4.\n\x0cPage 6 - The Commissioner\n\nIMPLEMENTATION OF SYSTEM ACCESS CONTROLS\n\nControlling and limiting systems access to the Agency\xe2\x80\x99s information systems and\nresources is the first line of defense in assuring the confidentiality, integrity, and\navailability of the Agency\xe2\x80\x99s IT resources. Over the years, SSA has worked to establish\nsufficient access controls as evidenced by the use of Top Secret software and the\nSystem Security Profile Project. As a result, in FY 2005, the access control issue was\nremoved as a reportable condition from SSA auditor\xe2\x80\x99s financial statement report.\nHowever, we noted instances where SSA\xe2\x80\x99s access controls could be strengthened.\nOne area involved access to sensitive data held by DDS employees. 22 These are State\nemployees who perform services for SSA and periodically need to access SSA records.\n\nWe found that:\n\n      \xe2\x80\xa2   some DDS employees were granted unneeded access to SSA\xe2\x80\x99s sensitive data;\n      \xe2\x80\xa2   access control software did not suspend access after a period of non-use if the\n          default password has never been changed; and\n      \xe2\x80\xa2   the need for access to each resource contained in the DDS profiles had not been\n          documented for DDS employees.\n\nAnother area that could be strengthened involved employment suitability checks of SSA\ncontractor personnel. We found that a number of the contractor staff involved in office\nrelocations did not receive background checks. 23 Therefore, they should not have been\npermitted to work on-site at an SSA facility or have physical access to Agency hardware\nthat may have contained programmatic or sensitive information. As a result, SSA\nmaybe exposing its sensitive data to possible compromise. SSA should continue to\nwork to strengthen access controls in both of these areas.\n\nSECURITY AWARENESS AND SPECIALIZED TRAINING FOR EMPLOYEES AND\nCONTRACTOR PERSONNEL\n\nIdentifying Individuals with Significant IT Security Responsibilities\n\nAccording to OMB FISMA guidance, agencies are required to ensure that employees\nand contractor personnel with significant IT security responsibilities receive security\nawareness and specialized training. 24 SSA ensures that security awareness is provided\nto all employees by requiring them to annually read the Sanctions for Unauthorized\n\n\n\n\n22\n  OIG Formal Draft, Access to SSA Data Provided by Disability Determination Services Positional\nProfiles (A-14-07-17024), August 23, 2007.\n23\n  OIG Report, The Social Security Administration\'s Information Technology Maintenance and Local Area\nNetwork Relocation Contract (A-14-07-17022), pp. 3-4, May 21, 2007.\n24\n     OMB M-07-19, supra at page 18\n\x0cPage 7 - The Commissioner\n\nSystems Access Violations and sign that they have read and understand this\ndocument. 25 However, we noted areas that need improvement.\n\nSSA needs to improve its identification of all individuals, both employees and\ncontractors, with significant IT security responsibilities. Currently, the Agency has\ndeveloped and implemented the following definition for the employees with significant IT\nsecurity responsibilities:\n\n          Employees with high levels of access to sensitive data who could\n          affect agency-wide operations and/or who perform security,\n          investigative, or auditing activities on a frequent basis. Personnel\n          in these roles have significant access to sensitive information, such\n          as social security records, medical records, business confidential\n          documents, and other personally identifiable information, which\n          needs to be protected against unauthorized access; fraudulent\n          activities; and inappropriate disclosure and modification. 26\n\nSSA\xe2\x80\x99s practice is that each component uses this definition to determine which of its\nemployees have \xe2\x80\x9c\xe2\x80\xa6 significant IT security responsibilities.\xe2\x80\x9d The Agency reviewed\nindividuals\xe2\x80\x99 responsibilities to comply with FISMA. SSA seems to be defining people\nwith significant security responsibility as those who spend a significant portion of their\nwork time on IT security issues. Individuals responsible for physical controls over\nAgency IT resources or those who have the ability to significantly impact security\ncontrols should be designated as having significant IT responsibilities.\n\nFor example, it would benefit SSA to include the individuals who oversee the e-mail\nsystem as those with significant security responsibilities. E-mail continues to be a major\nsource of vulnerability throughout the cyber world. Lack of adequate controls of an\norganization\xe2\x80\x99s e-mail system could lead to major network and system problems. SSA\ncan reduce its risks by refining its classification of individuals with significant IT security\nresponsibilities and ensuring that these individuals receive adequate training.\n\nAdditionally, the Agency did not consider any of its 22,098 contractors to have\nsignificant IT security responsibility because every decision made or action taken was\napproved or carried out by Agency personnel. Although the Agency may not consider\nthese contractors to have significant IT security responsibilities, there are numerous\ncontractors that work in the areas of firewall protection, intrusion protection, physical\nand systems security that should be considered as meeting the definition of individuals\nwith significant IT security responsibilities.\n\n\n\n\n25\n  SSA Office of Labor Management and Employee Relations, Sanctions for Unauthorized System\nAccess Violations, page 1, June 1998.\n26\n     ISSH, Appendix H, Security Training.\n\x0cPage 8 - The Commissioner\n\nSecurity Awareness for Contractors\n\nSSA needs to improve monitoring of security awareness notifications received by the\nAgency\xe2\x80\x99s contractors. SSA has a policy requiring all contractor personnel to read and\nsign the annual security awareness statement. SSA staff indicated that all contractor\npersonnel are provided the same security awareness notifications as its employees.\nHowever, because the Agency did not centrally maintain and monitor the security\nawareness efforts for its contractors, SSA could not provide supporting documentation\nto substantiate that the Agency complied with the requirement for security awareness\nfor contractors. SSA plans to change its monitoring process to improve tracking of\ncontractor security awareness.\n\nIt should be noted that OMB\xe2\x80\x99s FISMA guidance asked for OIGs and agencies to report\non security awareness training in slightly different manners. Agencies were only asked\nan overall \xe2\x80\x9cYes/No\xe2\x80\x9d question as to whether all employees and contractors were\nprovided security awareness. 27 OIGs were asked the percentage of the combined\nemployees and contractors who received security awareness. 28 According to OMB\nFISMA guidance, all employees, regardless whether they have systems access, should\nreceive annual security and privacy awareness training. 29 Contractors must be trained\non agency-specific security policies and procedures, including rules of behavior. 30 By\nnot monitoring contractor training and awareness, contractors may access SSA\xe2\x80\x99s\nsystems without being fully aware of or appropriately trained in how to handle SSA\xe2\x80\x99s\nsensitive information. SSA needs to ensure appropriate security awareness and\ntraining is provided to contractor personnel. As system owners, SSA has the ultimate\nresponsibility to ensure those who could impact its systems have sufficient security\nawareness and training.\n\n\n\n\n27\n     OMB M-07-19, supra at page 26.\n\n28\n     OMB M-07-19, supra at pages 34-35.\n29\n     OMB M-07-19, supra at page 18.\n30\n     Id.\n\x0cPage 9 - The Commissioner\n\nPERFORMANCE OF THE PRIVACY IMPACT ASSESSMENTS\n\nThe E-Government Act 31 and OMB M-03-22 32 require agencies to perform PIAs for\nsystems that collected PII from the public in certain situations. 33 A PIA is defined as\n\n          \xe2\x80\xa6an analysis of how information is handled: (i) to ensure handling\n          conforms to applicable legal, regulatory, and policy requirements\n          regarding privacy, (ii) to determine the risks and effects of collecting,\n          maintaining and disseminating information in identifiable form in an\n          electronic information system, and (iii) to examine and evaluate\n          protections and alternative processes for handling information to\n          mitigate potential privacy risks. 34\n\nSixteen of SSA\xe2\x80\x99s 20 significant systems collect PII from the public. During our fieldwork,\nSSA provided 2 dedicated and 9 associated PIAs for these 16 systems. The PIAs\nreviewed followed the procedures documented in \xe2\x80\x98PIA info from PRIDE.\xe2\x80\x99 35 Based on\nthe results of our review, we determined and SSA agreed that dedicated PIAs were\nneeded for the remaining 14 systems. On September 4, 2007, SSA provided the OIG\nwith the dedicated draft PIAs for the 14 remaining systems, which appeared to be\nprepared properly. SSA plans to finalize the dedicated PIAs for the remaining 14\nsystems by September 30, 2007. SSA needs to follow through with its plan to finalize\nthese 14 draft PIAs by end of September. In the future, completing the appropriate\nPIAs in a timely manner will enable SSA to better address the risks involved with the\ncollection and protection of sensitive information. 36\n\nCONCLUSIONS AND RECOMMENDATIONS\nDuring our FY 2007 FISMA evaluation, we determined that SSA substantially met the\nrequirements of FISMA. SSA worked cooperatively with the OIG to identify ways to\ncomply with FISMA. SSA continues to operate a myriad of security controls to protect\nits sensitive data, assets and operations. SSA develops new policies and procedures\nwhen required.\n\n\n\n31\n     E-Government Act of 2002, Pub. L. No. 107-347 \xc2\xa7 208B.1.a., December 17, 2002.\n32\n  OMB Memorandum, M-03-22, OMB Guidance for Implementing the Privacy Provisions of the\nE-Government Act of 2002, pages 3 and 8, September 26, 2003.\n33\n  The E-Government Act of 2002, supra, requires an agency to conduct a PIA before developing or\nprocuring certain information technology, or initiating certain new collections of information in identifiable\nform that will use information technology.\n\n34\n  OMB Memorandum, M-03-22, OMB Guidance for Implementing the Privacy Provisions of the\nE-Government Act of 2002, Attachment A \xc2\xa7 II.A.6., September 26, 2003.\n35\n     PRIDE is SSA\xe2\x80\x99s rules and guidelines for developing new systems and applications.\n36\n     E-Government Act of 2002, supra, \xc2\xa7 208B.1, OMB Memorandum, M-03-22, supra.\n\x0cPage 10 - The Commissioner\n\nTo fully comply and ensure future compliance with FISMA and other information security\nrelated laws and regulations, we recommend SSA ensure:\n\n   1. controls to protect PII are fully developed and implemented in accordance with\n      OMB guidance;\n\n   2. adequate incident response and reporting policies and procedures are\n      implemented Agencywide;\n\n   3. system access controls are fully implemented to meet least privilege criteria for\n      all users of SSA\xe2\x80\x99s systems;\n\n   4. refinement efforts continue for its categorization of Agency and contractor\n      personnel with significant IT security responsibility and ensure that appropriate\n      training is provided;\n\n   5. all contractor personnel receive annual security awareness; and\n\n   6. the PIA process is completed timely and that it appropriately addresses privacy\n      and PII protection issues.\n\n\n\n\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General\xe2\x80\x99s Completion of the Office of\n             Management and Budget\xe2\x80\x99s Questions Concerning Social Security\n             Administration\xe2\x80\x99s Compliance with the Federal Information Security\n             Management Act\n\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\n\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX E \xe2\x80\x93 Systems Certified and Accredited in Fiscal Year 2007\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                        Appendix A\n\nAcronyms\nC&A        Certifications and Accreditations\nDDS        Disability Determination Services\nFIPS       Federal Information Processing Standard\nFISCAM     Federal Information System Controls Audit Manual\nFISMA      Federal Information Security Management Act\nFY         Fiscal Year\nIT         Information Technology\nISSH       Information Systems Security Handbook\nNIST       National Institute of Standards and Technology\nOIG        Office of the Inspector General\nOI         Office of Investigations\nOMB        Office of Management and Budget\nPIA        Privacy Impact Assessments\nPII        Personally Identifiable Information\nPub. L.    Public Law\nPOA&M      Plan of Action and Milestones\nPwC        PricewaterhouseCoopers LLP\nSSA        Social Security Administration\nSSN        Social Security Number\nU.S.C.     United States Code\nUS-CERT    United States Computer Emergency Readiness Team\n\x0c                                                                              Appendix B\nOffice of the Inspector General\xe2\x80\x99s Completion of OMB Questions\nConcerning Social Security Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act\n\n                             Section C Inspector General: Question 1 and 2\n\n\nAgency Name: Social Security Administration                           Submission date: 9/24/07\n\n                                 Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by\nan agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number\nreviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not\ncategorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor\nsystems shall include information systems used or operated by a contractor of an agency or other\norganization on behalf of an agency. The total number of systems shall include both agency systems\nand contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of\ntheir agency or other organization on behalf of their agency; therefore, self reporting by contractors\ndoes not meet the requirements of law. Self-reporting by another Federal agency, for example, a\nFederal service provider, may be sufficient. Agencies and service providers have a shared\nresponsibility for FISMA compliance.\n                                            a.                     b.                        c.\n                                    Agency Systems              Contractor        Total Number of Systems\n                                                                Systems\n                    FIPS 199\nSocial Security      System        Total      Number       Total      Number       Total       Number\nAdministration    Impact Level    Number     Reviewed     Number     Reviewed     Number      Reviewed\n                  High                  0             0          0            0          0             0\n                  Moderate              8             8          0            0          8             8\n                  Low                  12            12          0            0         12            12\n                  Not\n                  Categorized           0             0          0            0          0             0\n Agency Totals    Total                20            20          0            0         20            20\n\n\n\n\n                                               B-1\n\x0c2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level\nin the table for Question 1, identify the number and percentage of systems which have: a current\ncertification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\n                                             Question 2\n\n                                        a.                       b.                      c.\n                                    Number of          Number of systems       Number of systems for\n                                 systems certified      for which security    which contingency plans\n                                  and accredited       controls have been        have been tested in\n                                                      tested and evaluated     accordance with policy\n                                                          in the last year         and guidance\n\n\n                    FIPS 199\nSocial Security      System       Total    Percent     Total     Percent of     Total       Percent of\nAdministration    Impact Level   Number    of Total   Number       Total       Number         Total\n                  High                 0      0.0%           0        0.0%              0         0.0%\n                  Moderate             8    40.0%            8       40.0%              8        40.0%\n                  Low                 12    60.0%           12       60.0%           12          60.0%\n                  Not\n                  Categorized          0      0.0%           0        0.0%              0         0.0%\nAgency Totals     Total               20   100.0%           20      100.0%           20         100.0%\n\n\n\n\n                                              B-2\n\x0c                                                  Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n          The agency performs oversight and evaluation to ensure information\n          systems used or operated by a contractor of the agency or other\n          organization on behalf of the agency meet the requirements of FISMA,\n          OMB policy and NIST guidelines, national security policy, and agency\n          policy.\n\n          Agencies are responsible for ensuring the security of information systems\n          used by a contractor of their agency or other organization on behalf of their   N/A , SSA does not use\n          agency; therefore, self reporting by contractors does not meet the              any systems that are\n  3.a.    requirements of law. Self-reporting by another Federal agency, for              controlled by\n          example, a Federal service provider, may be sufficient. Agencies and            contractors or other\n          service providers have a shared responsibility for FISMA compliance.            organizations\n\n          Response Categories:\n               - Rarely, for example, approximately 0-50% of the time\n               - Sometimes, for example, approximately 51-70% of the time\n               - Frequently, for example, approximately 71-80% of the time\n               - Mostly, for example, approximately 81-95% of the time\n               - Almost Always, for example, approximately 96-100% of the time\n          The agency has developed an inventory of major information systems\n          (including major national security systems) operated by or under the\n          control of such agency, including an identification of the interfaces\n          between each such system and all other systems or networks, including\n          those not operated by or under the control of the agency.\n                                                                                           Approximately 96-\n 3.b.\n          Response Categories:                                                            100% complete\n               - Approximately 0-50% complete\n               - Approximately 51-70% complete\n               - Approximately 71-80% complete\n               - Approximately 81-95% complete\n               - Approximately 96-100% complete\n\n          The OIG generally agrees with the CIO on the number of agency-owned\n  3.c.                                                                                             Yes\n          systems.\n\n\n          The OIG generally agrees with the CIO on the number of information\n 3.d.     systems used or operated by a contractor of the agency or other                          Yes\n          organization on behalf of the agency.\n\n\n  3.e.    The agency inventory is maintained and updated at least annually.                        Yes\n\n          If the Agency IG does not evaluate the Agency\xe2\x80\x99s inventory as 96-100%\n          complete, please list the systems that are missing from the inventory.\n  3.f.                                                                                             N/A\n          Missing Agency Systems\n          Missing Contractor Systems\n\n\n\n\n                                                  B-3\n\x0c                                               Question 4\n\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of\naction and milestones (POA&M) process. Evaluate the degree to which each statement reflects the\nstatus in your agency by choosing from the responses provided. If appropriate or necessary,\ninclude comments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the\nagency\'s status.\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n                     The POA&M is an agencywide\n                     process, incorporating all known IT\n                     security weaknesses associated with\n                                                                  - Almost Always, for example,\n       4.a.          information systems used or operated\n                                                                 approximately 96-100% of the time\n                     by the agency or by a contractor of\n                     the agency or other organization on\n                     behalf of the agency.\n                     When an IT security weakness is\n                     identified, program officials (including\n                                                                  - Almost Always, for example,\n       4.b.          CIOs, if they own or operate a\n                                                                 approximately 96-100% of the time\n                     system) develop, implement, and\n                     manage POA&Ms for their system(s).\n                     Program officials and contractors\n                     report their progress on security     - Almost Always, for example,\n       4.c.\n                     weakness remediation to the CIO on a approximately 96-100% of the time\n                     regular basis (at least quarterly).\n\n                     Agency CIO centrally tracks,\n                                                                  - Almost Always, for example,\n       4.d.          maintains, and reviews POA&M\n                                                                 approximately 96-100% of the time\n                     activities on at least a quarterly basis.\n                       OIG findings are incorporated into the  - Almost Always, for example,\n       4.e.\n                       POA&M process.                         approximately 96-100% of the time\n                       POA&M process prioritizes IT security\n                       weaknesses to help ensure significant\n                                                               - Almost Always, for example,\n         4.f.          IT security weaknesses are\n                                                              approximately 96-100% of the time\n                       addressed in a timely manner and\n                       receive appropriate resources\nPOA&M process comments: 4a & 4c. Agency should continue to monitor the process to ensure\nthat all findings are included in the process.\n\n\n\n\n                                                B-4\n\x0c                                            Question 5\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including\nadherence to existing policy, guidance, and standards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and\nAccreditation of Federal Information Systems" (May 2004) for certification and accreditation work\ninitiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization\nof Federal Information and Information Systems" (February 2004) to determine a system impact\nlevel, as well as associated NIST document used as guidance for completing risk assessments and\nsecurity plans.\n                The IG rates the overall quality of the\n                Agency\'s certification and accreditation\n                process as:\n\n             Response Categories:\n   5.a.                                                       - Excellent\n                  - Excellent\n                  - Good\n                  - Satisfactory\n                  - Poor\n                  - Failing\n                                                               Security plan\n                                                                                           X\n                                                               System impact level         X\n                                                               System test and             X\n             The IG\'s quality rating included or considered    evaluation\n   5.b.      the following aspects of the C&A process:         Security control testing    X\n             (check all that apply)                            Incident handling           X\n                                                               Security awareness          X\n                                                               training\n                                                               Configurations/patching     X\n                                                               Other:\nC&A process comments:\n\n\n\n\n                                             B-5\n\x0c                                               Question 6\n            Provide a qualitative assessment of the agency\'s Privacy\n            Impact Assessment (PIA) process, as discussed in Section D\n            II.4 (SAOP reporting template), including adherence to\n            existing policy, guidance, and standards.\n\n            Response Categories:\n    6.a.     - Response Categories:                                                      Good\n             - Excellent\n             - Good\n             - Satisfactory\n             - Poor\n             - Failing\n\nComments: Sixteen of SSA\xe2\x80\x99s twenty significant systems collect PII from the public. During our\nfieldwork, SSA provided 2 dedicated and 9 associated PIAs of these 16 systems. The Agency\nfollows the procedures in the document entitled "PIA info from PRIDE\xe2\x80\x9d1 to determine whether a\nPIA is required. Based on the results of our review, we determined and SSA agreed that\ndedicated PIAs were needed for the remaining 14 systems. On September 4, 2007, SSA\nprovided the OIG with the dedicated draft PIAs for the 14 systems that collect public PIA, which\nappear to be completed appropriately. SSA plans to finalize the dedicated PIAs for the\nremaining 14 systems by September 30, 2007. Completing the appropriate PIAs will enable SSA\nto better address the risk involved with the collection and protection of sensitive information.\n\n\n            Provide a qualitative assessment of the agency\'s progress to date\n            in implementing the provisions of M-06-15, "Safeguarding\n            Personally Identifiable Information" since the most recent self-\n            review, including the agency\'s policies and processes, and the\n            administrative, technical, and physical means used to control and\n            protect personally identifiable information (PII).\n    6.b.\n                                                                                       Good\n            Response Categories:\n             - Response Categories:\n             - Excellent\n             - Good\n             - Satisfactory\n             - Poor\n             - Failing\n\n\nComments: SSA has taken considerable steps to safeguard PII. They have established a policy\nto report incidents involving the loss or potential loss of PII to US-CERT. They have issued\nprocedures on safeguarding PII while in transit or outside of secure SSA space. They are\ndeveloping a SSA Breach Notification Policy scheduled for issuance September 30, 2007. SSA\nstill needs to finalize and fully implement these new policies and procedures. Due to the time\nframe, the OIG has not yet had the opportunity to test the effectiveness of all the controls\nrecently issued.\n\n\n\n1\n    PRIDE is SSA\xe2\x80\x99s rules and guidelines for developing new systems and applications.\n                                                     B-6\n\x0c                                           Question 7\n\n     Is there an agency-wide security configuration policy?\n 7.a.                                                                                Yes\n     Yes or No.\nComments:\n\n\n\n\n          Approximate the extent to which applicable information systems\n          apply common security configurations established by NIST.\n\n          Response categories:\n                                                                                 Almost Always-\n                                                                                 for example,\n 7.b.\n          Rarely- for example, approximately 0-50% of the time                   approximately\n           - Sometimes- for example, approximately 51-70% of the time            96-100% of the\n           - Frequently- for example, approximately 71-80% of the time           time\n           - Mostly- for example, approximately 81-95% of the time\n           - Almost Always- for example, approximately 96-100% of the time\n\n\n\n\nComments:\n\n\n\n                                           Question 8\n\nIndicate whether or not the agency follows documented policies and procedures for reporting\nincidents internally, to US-CERT, and to law enforcement. If appropriate or necessary, include\ncomments in the area provided below.\n\n        The agency follows documented policies and procedures for\n8.a.                                                                                   Yes\n        identifying and reporting incidents internally. Yes or No.\n\n        The agency follows documented policies and procedures for\n8.b.    external reporting to the United States Computer Emergency                     Yes\n        Readiness Team (US-CERT). http://www.us-cert.gov. Yes or No.\n\n        The agency follows documented policies and procedures for\n8.c.                                                                                  Yes\n        reporting to law enforcement. Yes or No.\nComments: 8b. SSA needs to ensure that the policies and procedures are fully disseminated to\nthe appropriate staff and fully implemented.\n8c. The Agency informed us that its components will do their utmost to provide all incidents to OI.\nWe look forward to this revised procedure and will work with the Agency to ensure that all\nincidents are forwarded to OI.\n\n\n\n\n                                               B-7\n\x0c                                              Question 9\n\n\n\nHas the agency ensured security awareness training of all employees,\nincluding contractors and those employees with significant IT security\nresponsibilities?\n                                                                                      Frequently- or\nResponse Categories:\n                                                                                    approximately 71-\n - Rarely- or approximately 0-50% of employees\n                                                                                    80% of employees\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n\nComments: All 64,170 SSA employees have received annual security awareness. SSA has a\npolicy for all contractors to receive security awareness annually, but could not confirm that the policy\nwas adhered to. Therefore, we could only confirm that 64,170 employees the 86,268 employees\nand contractors, or 74%, have received security awareness. Next year, SSA plans to establish a\ncontractor monitoring process for security awareness.\n\n\n                                              Question 10\nDoes the agency explain policies regarding peer-to-peer file sharing in IT\nsecurity awareness training, ethics training, or any other agencywide training?\n                                                                                            Yes\nYes or No.\n\n                                             Question 11\n\nThe agency has completed system e-authentication risk assessments. Yes or\n                                                                                            Yes\nNo.\n\n\n\n\n                                               B-8\n\x0c                                                                        Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act (FISMA) requires agencies to create\nprotective environments for their information systems. It does so by creating a\nframework for annual Information Technology (IT) security reviews, vulnerability\nreporting, and remediation planning, implementation, evaluation, and documentation. 1\nIn Fiscal Year 2005, Social Security Administration (SSA) resolved the long standing\ninternal controls reportable condition concerning its protection of information. 2 SSA\ncontinues to work with the Office of the Inspector General and PricewaterhouseCoopers\nLLP to further improve security over the protection of information and resolve other\nissues observed during prior FISMA reviews.\n\nThe Office of Management and Budget (OMB) continues to stress the importance of\nprotecting the public\xe2\x80\x99s privacy and Personally Identifiable Information (PII) as emphasized\nby new guidance such as OMB M-07-16, Safeguarding Against and Responding to the\nBreach of Personally Identifiable Information. This new guidance mandates agencies\nincreasing efforts to reduce the use of PII collected and held. OMB M-07-16 complements\nexisting PII guidance contained in OMB Memorandum M-06-15 and OMB Memorandum\nM-06-19. OMB is incorporating more privacy and PII protection questions in its annual\nFISMA guidance. OMB M-07-19 requires agencies to include in their annual FISMA\nsubmission:\n\n\xe2\x80\xa2     Breach notification policy;\n\xe2\x80\xa2     Implementation plan to eliminate unnecessary use of Social Security numbers;\n\xe2\x80\xa2     Implement a plan and progress update on review and reduction of holdings of PII;\n      and\n\xe2\x80\xa2     Policy outlining rules of behavior and identifying consequences and corrective\n      actions available for failure to follow these rules.\n\nIn addition, OMB guidance M-07-19 requires Inspectors General to rate the quality of\nAgencies\xe2\x80\x99 Privacy Impact Assessment process and their efforts to protect PII according to\nOMB M-06-15.\n\n\n\n\n1\n    Pub. L. 107-347, Title III, Section 301, 44 U.S.C. \xc2\xa7 3544.\n2\n    SSA\xe2\x80\x99s FY 2005 Performance and Accountability Report, page 163.\n\n\n\n                                                      C-1\n\x0cThis report informs Congress and the public about the Federal Government\'s security\nperformance, and fulfills OMB\'s requirement under FISMA to submit an annual report to\nCongress. It provides OMB\'s assessment of governmentwide IT security strengths and\nweaknesses and a plan of action to improve performance. It also examines agency\nstatus against key security and privacy performance measures from Fiscal Year (FY)\n2002 through FY 2006. The Committee on Oversight and Government Reform issues\nan annual Report Card on Computer Security at Federal Departments and Agencies.\nSSA has received a score of A+ and A over the past 2 years.\n\n\n\n\n                                         C-2\n\x0c                                                                                         Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act (FISMA) directs each agency\xe2\x80\x99s\nOffice of Inspector General (OIG) to perform, or have an independent external auditor\nperform, an annual independent evaluation of the agency\xe2\x80\x99s information security program\nand practices, as well as a review of an appropriate subset of agency systems. 1 The\nSocial Security Administration\xe2\x80\x99s (SSA) OIG contracted with PricewaterhouseCoopers\nLLP (PwC) to audit SSA\xe2\x80\x99s Fiscal Year (FY) 2007 financial statements. Because of the\nextensive internal control system work that is completed as part of that audit, our FISMA\nreview requirements were incorporated into the PwC financial statement audit contract.\nThis evaluation included Federal Information System Controls Audit Manual (FISCAM)\nlevel reviews of SSA\xe2\x80\x99s mission critical sensitive systems. PwC performed an \xe2\x80\x9cagreed-\nupon procedures\xe2\x80\x9d engagement using FISMA, the Office of Management and Budget\n(OMB) Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, National\nInstitute of Standards and Technology guidance, FISCAM, and other relevant security\nlaws and regulations as a framework to complete the OIG required review of SSA\xe2\x80\x99s\ninformation security program and practices and its sensitive systems. We also\nconsidered the security implications of OMB Memorandum M-07-16.\n\nThe results of our FISMA evaluation are based on the PwC FY 2007 Independent\nAccountants\xe2\x80\x99 Report on Applying Agreed-Upon Procedures report and working papers,\nand various audits and evaluations performed by this office. We also reviewed the final\ndraft of SSA\'s FY 2007 Security Program Review as required by the Federal Information\nSecurity Management Act.\n\nOur major focus was an evaluation of SSA\xe2\x80\x99s plan of action and milestones (POA&M),\nrisk models and configuration settings, certifications and accreditations (C&A), and\nsystems inventory processes. Our evaluation of SSA\xe2\x80\x99s POA&Ms included an analysis\nof Automated Security Self-Evaluation and Remediation Tracking system and its\npolicies. Our review of the Agency\xe2\x80\x99s C&A process included an analysis of the C&As for\neach of the 20 major systems. We also reviewed SSA\xe2\x80\x99s updated systems inventory and\nthe policy for the update processes.\n\nWe performed field work at SSA facilities nationwide from March to September 2007.\nWe considered the results of other OIG audits performed in FY 2007. Our evaluation\nwas performed in accordance with generally accepted government auditing standards.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, section 301, 44 U.S.C \xc2\xa7 3545 (a)(1), (a)(2), and (b)(1).\n\x0c                                                                         Appendix E\n\nSystems Certified and Accredited in Fiscal Year 2007\n#                            System                                      Acronym\n               General Support Systems\n1   Audit Trail System                                        ATS\n2   Comprehensive Integrity Review Process                    CIRP\n\n3   Death Alert, Control & Update System                      DACUS\n\n4   Debt Management System                                    DMS\n\n5   Disability Case Adjudication and Review System            DICARS\n\n6   Integrated Disability Management System                   IDMS\n\n7   Enterprise Wide Mainframe & Distributed Network           EWAN\n    Telecommunications Services System\n8   FALCON Data Entry System                                  FALCON\n\n9   Human Resources Management Information System             HRMIS\n\n10 Integrated Client Database System                          ICDB\n\n11 LENEL                                                      LENEL\n\n12 Recovery of Overpayments, Accounting, & Reporting System   ROAR\n\n13 Social Security Online Accounting and Reporting System     SSOARS\n14 Security Unified Measurement Systems                       SUMS\n\n\n                      Major Applications\n1   Electronic Disability System                              eDib\n2   Earnings Record Maintenance System                        ERMS\n3   Retirement, Survivors & Disability Insurance System \xe2\x80\x93     RSDI \xe2\x80\x93 Accounting\n    Accounting\n4   SSN Establishment & Correction System                     SSNECS\n5   Supplemental Security Income Record Maintenance System    SSIRMS\n\n6   Title II System                                           Title II\n\x0c                                                                        Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technology Audit Division\n   (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n   Mary Ellen Moyer, Senior Program Analyst\n\n   Deborah Kinsey, Senior Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-07-17101.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Science, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Governmental Affairs, U.S.\nSenate\nChairman and Ranking Minority Member, Committee on Commerce, Science and\nTransportation, U.S. Senate\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'